What is the best way to reissue user certificates after configuration change in a template?











up vote
3
down vote

favorite












I have setup my MS-ADCS environment in my company and configured auto-enrollment. i have everything working great, but found out that I want my "Subject Name Format" to have a different value.
We are not using the certificates yet in any service, so there's no real problem removing them and reissue new ones.
My question is - what the the best way or the right way to remove all issued certificates (~200) with the wrong subject value and deploy the new certificates with the new (and right) subject value? All users are in AD and I can use scripts or group policy if needed.



Thanks.



EDIT: just to clarify my intent - I prefer to remove/delete the issued certificates with the wrong subject format and don't care at this point about revocation list (note - I am aware to the consequence).










share|improve this question




























    up vote
    3
    down vote

    favorite












    I have setup my MS-ADCS environment in my company and configured auto-enrollment. i have everything working great, but found out that I want my "Subject Name Format" to have a different value.
    We are not using the certificates yet in any service, so there's no real problem removing them and reissue new ones.
    My question is - what the the best way or the right way to remove all issued certificates (~200) with the wrong subject value and deploy the new certificates with the new (and right) subject value? All users are in AD and I can use scripts or group policy if needed.



    Thanks.



    EDIT: just to clarify my intent - I prefer to remove/delete the issued certificates with the wrong subject format and don't care at this point about revocation list (note - I am aware to the consequence).










    share|improve this question


























      up vote
      3
      down vote

      favorite









      up vote
      3
      down vote

      favorite











      I have setup my MS-ADCS environment in my company and configured auto-enrollment. i have everything working great, but found out that I want my "Subject Name Format" to have a different value.
      We are not using the certificates yet in any service, so there's no real problem removing them and reissue new ones.
      My question is - what the the best way or the right way to remove all issued certificates (~200) with the wrong subject value and deploy the new certificates with the new (and right) subject value? All users are in AD and I can use scripts or group policy if needed.



      Thanks.



      EDIT: just to clarify my intent - I prefer to remove/delete the issued certificates with the wrong subject format and don't care at this point about revocation list (note - I am aware to the consequence).










      share|improve this question















      I have setup my MS-ADCS environment in my company and configured auto-enrollment. i have everything working great, but found out that I want my "Subject Name Format" to have a different value.
      We are not using the certificates yet in any service, so there's no real problem removing them and reissue new ones.
      My question is - what the the best way or the right way to remove all issued certificates (~200) with the wrong subject value and deploy the new certificates with the new (and right) subject value? All users are in AD and I can use scripts or group policy if needed.



      Thanks.



      EDIT: just to clarify my intent - I prefer to remove/delete the issued certificates with the wrong subject format and don't care at this point about revocation list (note - I am aware to the consequence).







      certificates public-key-infrastructure






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 2 hours ago

























      asked 2 hours ago









      DaveIce

      364




      364






















          3 Answers
          3






          active

          oldest

          votes

















          up vote
          2
          down vote













          ADCS has a feature for this.



          Assuming you have the Certificate Services Client - Auto-Enrollment group policy configured, simply create a new template in the MMC with the correct SAN configuration and add the original template name to the Superseded Templates tab. Group policy will enroll for a new certificate with this template and delete the original for you.



          There's no need to revoke anything as nothing's been compromised.






          share|improve this answer





















          • Nice! That makes perfect sense... +1 for the answer, I'll update about the results.
            – DaveIce
            43 mins ago


















          up vote
          1
          down vote













          If you don't use the certificates at any service and they don't have a real purpose atm, I guess it would be the best to revoke the issuing intermediate CA and create a new one issuing the right certificates.

          This would be the most maintainable way to revoke all the certificates and your CRL would not get bloated before you even start using the certificates.






          share|improve this answer





















          • that is correct, but I prefer to remove the certificates with the wrong subject and have my users with the corrected certificate.
            – DaveIce
            2 hours ago


















          up vote
          0
          down vote













          I think I've found the answer:
          right clicking the template with the new change, there is an option to "Reenroll All Certificate Holders". Once choosing that, the template version increases, so the next time the client verifies the certificate version against the template version on the CA - the client will re-enrolls.
          I tested it with a restart of one of the laptops and the result was only 1 user certificate with the right Subject format.
          note: i think for this option to show up, Auto-enrollment must be configured for the template.






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "162"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199893%2fwhat-is-the-best-way-to-reissue-user-certificates-after-configuration-change-in%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            3 Answers
            3






            active

            oldest

            votes








            3 Answers
            3






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            2
            down vote













            ADCS has a feature for this.



            Assuming you have the Certificate Services Client - Auto-Enrollment group policy configured, simply create a new template in the MMC with the correct SAN configuration and add the original template name to the Superseded Templates tab. Group policy will enroll for a new certificate with this template and delete the original for you.



            There's no need to revoke anything as nothing's been compromised.






            share|improve this answer





















            • Nice! That makes perfect sense... +1 for the answer, I'll update about the results.
              – DaveIce
              43 mins ago















            up vote
            2
            down vote













            ADCS has a feature for this.



            Assuming you have the Certificate Services Client - Auto-Enrollment group policy configured, simply create a new template in the MMC with the correct SAN configuration and add the original template name to the Superseded Templates tab. Group policy will enroll for a new certificate with this template and delete the original for you.



            There's no need to revoke anything as nothing's been compromised.






            share|improve this answer





















            • Nice! That makes perfect sense... +1 for the answer, I'll update about the results.
              – DaveIce
              43 mins ago













            up vote
            2
            down vote










            up vote
            2
            down vote









            ADCS has a feature for this.



            Assuming you have the Certificate Services Client - Auto-Enrollment group policy configured, simply create a new template in the MMC with the correct SAN configuration and add the original template name to the Superseded Templates tab. Group policy will enroll for a new certificate with this template and delete the original for you.



            There's no need to revoke anything as nothing's been compromised.






            share|improve this answer












            ADCS has a feature for this.



            Assuming you have the Certificate Services Client - Auto-Enrollment group policy configured, simply create a new template in the MMC with the correct SAN configuration and add the original template name to the Superseded Templates tab. Group policy will enroll for a new certificate with this template and delete the original for you.



            There's no need to revoke anything as nothing's been compromised.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 58 mins ago









            garethTheRed

            462210




            462210












            • Nice! That makes perfect sense... +1 for the answer, I'll update about the results.
              – DaveIce
              43 mins ago


















            • Nice! That makes perfect sense... +1 for the answer, I'll update about the results.
              – DaveIce
              43 mins ago
















            Nice! That makes perfect sense... +1 for the answer, I'll update about the results.
            – DaveIce
            43 mins ago




            Nice! That makes perfect sense... +1 for the answer, I'll update about the results.
            – DaveIce
            43 mins ago












            up vote
            1
            down vote













            If you don't use the certificates at any service and they don't have a real purpose atm, I guess it would be the best to revoke the issuing intermediate CA and create a new one issuing the right certificates.

            This would be the most maintainable way to revoke all the certificates and your CRL would not get bloated before you even start using the certificates.






            share|improve this answer





















            • that is correct, but I prefer to remove the certificates with the wrong subject and have my users with the corrected certificate.
              – DaveIce
              2 hours ago















            up vote
            1
            down vote













            If you don't use the certificates at any service and they don't have a real purpose atm, I guess it would be the best to revoke the issuing intermediate CA and create a new one issuing the right certificates.

            This would be the most maintainable way to revoke all the certificates and your CRL would not get bloated before you even start using the certificates.






            share|improve this answer





















            • that is correct, but I prefer to remove the certificates with the wrong subject and have my users with the corrected certificate.
              – DaveIce
              2 hours ago













            up vote
            1
            down vote










            up vote
            1
            down vote









            If you don't use the certificates at any service and they don't have a real purpose atm, I guess it would be the best to revoke the issuing intermediate CA and create a new one issuing the right certificates.

            This would be the most maintainable way to revoke all the certificates and your CRL would not get bloated before you even start using the certificates.






            share|improve this answer












            If you don't use the certificates at any service and they don't have a real purpose atm, I guess it would be the best to revoke the issuing intermediate CA and create a new one issuing the right certificates.

            This would be the most maintainable way to revoke all the certificates and your CRL would not get bloated before you even start using the certificates.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 2 hours ago









            Lithilion

            1,1072415




            1,1072415












            • that is correct, but I prefer to remove the certificates with the wrong subject and have my users with the corrected certificate.
              – DaveIce
              2 hours ago


















            • that is correct, but I prefer to remove the certificates with the wrong subject and have my users with the corrected certificate.
              – DaveIce
              2 hours ago
















            that is correct, but I prefer to remove the certificates with the wrong subject and have my users with the corrected certificate.
            – DaveIce
            2 hours ago




            that is correct, but I prefer to remove the certificates with the wrong subject and have my users with the corrected certificate.
            – DaveIce
            2 hours ago










            up vote
            0
            down vote













            I think I've found the answer:
            right clicking the template with the new change, there is an option to "Reenroll All Certificate Holders". Once choosing that, the template version increases, so the next time the client verifies the certificate version against the template version on the CA - the client will re-enrolls.
            I tested it with a restart of one of the laptops and the result was only 1 user certificate with the right Subject format.
            note: i think for this option to show up, Auto-enrollment must be configured for the template.






            share|improve this answer



























              up vote
              0
              down vote













              I think I've found the answer:
              right clicking the template with the new change, there is an option to "Reenroll All Certificate Holders". Once choosing that, the template version increases, so the next time the client verifies the certificate version against the template version on the CA - the client will re-enrolls.
              I tested it with a restart of one of the laptops and the result was only 1 user certificate with the right Subject format.
              note: i think for this option to show up, Auto-enrollment must be configured for the template.






              share|improve this answer

























                up vote
                0
                down vote










                up vote
                0
                down vote









                I think I've found the answer:
                right clicking the template with the new change, there is an option to "Reenroll All Certificate Holders". Once choosing that, the template version increases, so the next time the client verifies the certificate version against the template version on the CA - the client will re-enrolls.
                I tested it with a restart of one of the laptops and the result was only 1 user certificate with the right Subject format.
                note: i think for this option to show up, Auto-enrollment must be configured for the template.






                share|improve this answer














                I think I've found the answer:
                right clicking the template with the new change, there is an option to "Reenroll All Certificate Holders". Once choosing that, the template version increases, so the next time the client verifies the certificate version against the template version on the CA - the client will re-enrolls.
                I tested it with a restart of one of the laptops and the result was only 1 user certificate with the right Subject format.
                note: i think for this option to show up, Auto-enrollment must be configured for the template.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited 21 mins ago

























                answered 27 mins ago









                DaveIce

                364




                364






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Information Security Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199893%2fwhat-is-the-best-way-to-reissue-user-certificates-after-configuration-change-in%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Ellipse (mathématiques)

                    Quarter-circle Tiles

                    Mont Emei